BoomBox

BoomBox, tracked by Microsoft as a malicious downloader, represents a significant threat in the landscape of malware. This harmful program infiltrates systems and exploits them for various nefarious purposes. It operates by first downloading an encrypted file from a Dropbox account controlled by the actor. After successfully downloading the file, BoomBox discards the first 10 bytes from the header and 7 bytes from the footer, then decrypts the rest of the file using a hardcoded encryption key and IV value. The decrypted file is subsequently written to the file system at %AppData%\Microsoft\NativeCache\NativeCacheSvc.dll. The operation of BoomBox is characterized by its use of trusted channels and a unique infection chain, including tools such as EnvyScout, NativeZone, and VaporRage. As part of its reconnaissance steps, if the system it has infiltrated is domain-joined, BoomBox executes an LDAP query to gather data such as distinguished name, SAM account name, email, and display name of all domain users. Following this, BoomBox downloads a second encrypted file from Dropbox, again discarding certain bytes before decryption. Once the data is collected, BoomBox masquerades the information as a PDF file, appending and prepending the magic markers for PDF to the AES-encrypted host information string. The malware then uploads this data to a dedicated-per-victim-system folder in Dropbox, even proceeding if the upload operation is unsuccessful. To verify the success of the upload, BoomBox uses regular expression values to check the HTTP response from Dropbox. This intricate process underscores the complexity and sophistication of the BoomBox malware.